From 5c8854abef570bf62930902ec6ca6b9df4523458 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 23 Jan 2016 08:41:47 -0800
Subject: [PATCH] app.te: grant /system dir/file/symlink read

Renderscript needs the ability to read directories on
/system. Allow it and file/symlink read access.

Addresses the following denials:
  RenderScript: Invoking /system/bin/ld.mc with args '/system/bin/ld.mc -shared -nostdlib
    /system/lib64/libcompiler_rt.so -mtriple=aarch64-none-linux-gnueabi
    --library-path=/system/vendor/lib64 --library-path=/system/lib64
    -lRSDriver -lm -lc
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/primitives.o
    -o
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/librs.primitives.so'
  ld.mc   : type=1400 audit(0.0:1340): avc: denied { read } for name="lib64" dev="mmcblk0p24" ino=212 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  ld.mc   : type=1400 audit(0.0:1341): avc: denied { read } for name="lib64" dev="mmcblk0p29" ino=1187 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  RenderScript: Child process "/system/bin/ld.mc" terminated with status 256

Change-Id: I9fb989f66975ed553dbc0c49e9c5b5e5bc45b3c3
---
 app.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app.te b/app.te
index 01de57fd2..f7f1a2170 100644
--- a/app.te
+++ b/app.te
@@ -92,6 +92,9 @@ allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;
 allow appdomain toolbox_exec:file rx_file_perms;
 
+# Renderscript needs the ability to read directories on /system
+r_dir_file(appdomain, system_file)
+
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;
 
-- 
GitLab